Skip to content

ACLs

Jump to bottom Edit New page
Ido Schimmel edited this page Aug 30, 2017 · 25 revisions
Table of Contents
  1. TC flower
    1. Supported Keys
    2. Supported Actions
    3. Drop Action Example Usage
    4. Trap Action Example Usage
    5. Multi-table/Multi-chain Support
    6. More Examples
  2. Further Resources

TC flower

It is possible to offload TC flower rules with limited set of keys and actions to netdevs which represent mlxsw ports.

Before configuring match rules on enp3s0np1, one must first create the queueing disciplines (qdiscs) to which the flower classifier will be attached.

Note: Offloading is not yet supported for soft-netdevs (e.g., bridge, bond, vlan) or the management port.

Note: Offloading is for now only supported for netdevs which are bridged or have IPv4 address assigned.

In order to prepare for addition of flower rules, either add the ingress qdisc or clsact qdisc to enp3s0np1:

$ tc qdisc add dev enp3s0np1 ingress

or:

$ tc qdisc add dev enp3s0np1 clsact

The benefit of clsact qdisc is that it can be used not only for insertion of ingress rules, but also egress rules.

The rest of the examples here will use the ingress qdisc. To see couple of examples using clsact qdisc, please see the More Examples section.

Supported Keys

  • protocol (ethertype) [4.11]
  • src_mac [4.11]
  • dst_mac [4.11]
  • src_ip (both IPv4 and IPv6) [4.11]
  • dst_ip (both IPv4 and IPv6) [4.11]
  • ip_proto ("tcp" and "udp") [4.11]
  • src_port [4.11]
  • dst_port [4.11]
  • vlan_prio [4.12]
  • vlan_id [4.12]
  • tcp_flags [4.13]
  • ip_ttl [4.14]
  • ip_tos [4.14]

Note: Packets that arrive without 802.1q TCI or only priority-tagged are assigned bridge PVID by the hardware. Thus a flower match on vlan_id of PVID will match untagged packets as well.

Supported Actions

  • action drop [4.11]
  • mirred egress redirect (forward) [4.11]
  • action vlan modify [4.12]
  • trap [4.13]

Note: Packets that arrive without 802.1q TCI or only priority-tagged are assigned bridge PVID by the hardware. Thus a "vlan modify" to a non-PVID tag apparently pushes a VLAN tag on such packet, and likewise "vlan modify" to a PVID tag pops it. That's unlike the software pipeline, where "vlan modify" is only meaningful on packets that already are 802.1q-tagged.

Drop Action Example Usage

$ tc filter add dev enp3s0np1 parent ffff: protocol ipv6 pref 2 flower skip_sw src_ip fe01::1 action drop

This adds a rule with priority 2 matching every IPv6 packet with source address fe01::1. Selected action is drop. Note the skip_sw keyword that instructs TC to skip the insertion of the rule to the kernel's datapath. If this keyword is omitted, the rule will be inserted in both kernel and HW.

To see the list of inserted rules, run:

$ tc filter show dev enp3s0np1 root

In order to observe the following statistics:

  • Packets
  • Bytes
  • Last used time

Which are maintained on a per rule basis, add the -s flag:

$ tc -s filter show dev enp3s0np1 root

Trap Action Example Usage

$ tc filter add dev enp3s0np1 parent ffff: protocol ipv6 pref 2 flower skip_sw src_ip fe01::1 action trap

This adds a rule with priority 2 matching every IPv6 packet with source address fe01::1. Selected action is trap. Note the skip_sw keyword that instructs TC to skip the insertion of the rule to the kernel's datapath. If this keyword is omitted, the rule will be inserted in both kernel and HW.

This rule insertion instructs hardware to send matched packets to kernel. Kernel then may do further analysis. They appear as they come from device enp3s0np1.

Multi-table/Multi-chain Support

TC rules (filters) are put together into chains in order according to priority (pref). Each chain can be looked at as a table of rules.

To insert a rule into a specific chain, one has to use the "chain" option:

$ tc filter add dev enp3s0np1 parent ffff: protocol ip chain 100 pref 10 flower skip_sw dst_ip 192.168.101.1 action drop

In this example, we added the rule into chain 100. If the chain option is omitted, the default chain 0 is assumed. Chain 0 is also the chain that always gets processed first. If we want other chains to be processed, we have to use "goto chain" action:

$ tc filter add dev enp3s0np1 parent ffff: protocol ip pref 10 flower skip_sw dst_ip 192.168.101.1 action goto chain 100

More Examples

$ tc filter add dev enp3s0np1 parent ffff: protocol ip pref 20 flower skip_sw dst_mac f4:52:14:10:df:92 action mirred egress redirect dev enp3s0np19
$ tc filter add dev enp3s0np1 parent ffff: protocol ipv6 pref 10 flower skip_sw dst_ip fe01::3 ip_proto tcp dst_port 3333 action drop
$ tc filter add dev enp3s0np1 parent ffff: protocol 802.1q flower vlan_id 95 skip_sw action drop
$ tc filter add dev enp3s0np1 parent ffff: protocol all flower action vlan modify id 85

Using clsact qdisc:

$ tc filter add dev enp3s0np1 ingress protocol ip pref 10 flower skip_sw dst_ip 192.168.101.1 action trap
$ tc filter add dev enp3s0np1 egress protocol ip pref 10 flower skip_sw dst_ip 192.168.101.3 action drop

Further Resources

  1. man tc
  2. man tc-flower
  3. QoS in Linux with TC and Filters by Phil Sutter (part of iproute documentation)
Add a custom footer

Installation

System Maintenance

Network Interface Configuration

Layer 2

Network Virtualization

Layer 3

Debugging

Clone this wiki locally